Shamoon Worm Linked to Saudi Oil Company Attack

Below:

Next story in Security

There's a link between the Shamoon worm and the malware attack on
the Saudi Aramco oil company last week, and the link is a preset
timestamp, says Kaspersky Lab,.

Meanwhile, a threat has been made against the state-owned Saudi
oil company promising further attacks Saturday (Aug. 25).

Last Wednesday (Aug. 15), Saudi Aramco said it had suffered a
crippling
malware attack that had forced it to take all its computers
offline.

That same day, a previously unknown group calling itself "Cutting
Sword of Justice" posted a text file to Pastebin claiming
responsibility for the Aramco attack.

"We penetrated a system of Aramco company by using the hacked
systems in several countries and then sended a malicious virus to
destroy thirty thousand computers networked in this company,"
read the post. "The destruction operations began on Wednesday,
Aug 15, 2012 at 11:08 a.m. (local time in Saudi Arabia) and will
be completed within a few hours."

The following day, Russia's Kaspersky Lab, the Israeli security
firm Seculert and California-based Symantec all
revealed the discovery of Shamoon, an extremely destructive
piece of malware found in the Middle East.

Unlike most pieces of malware, which attempt to
operate without detection, Shamoon sets out to completely
erase and destroy the infected computer once it has transmitted a
file list to a mysterious server.

"The dropper determines whether a specified date has come or
not," wrote Kaspersky's Dmitry Tarakanov in a blog posting Tuesday. "The hardcoded
date is 15th August 2012 08:08 UTC" — 11:08 a.m. in Saudi
Arabia.

"I think we can confirm that #Shamoon kill-timer was the same
(08:08 UTC) as was announced in anons statement here," tweeted Kaspersky Chief Security Expert
Aleks Gostev yesterday, referring to the Pastebin posting.

Saudi Aramco has not commented on what caused it to take all its
computers offline last Wednesday. Kaspersky has not flat-out
stated that Shamoon was the cause, and nor have Symantec or
Seculert.

"The timing and malware behavior look the same, but this is not
hard evidence," Seculert co-founder and chief technology officer
Aviv Raff told the Dark Reading security blog.
"Also, the IP address, 10.1.252.19, we saw in the malware
samples we analyzed is not in the list on the Pastebin
[post]."

Persian mirrors

Jeffrey Carr, CEO of Taia Global, a self-described "boutique
security firm" based in northern Virginia, believes the culprit
might be a bigger fish: Iran, which is suffering economically
under American and European oil sanctions tied to Iran's nuclear
program.

"I've heard speculation from more than one source in Saudi Arabia
that the malware attack against Saudi Aramco's network was an
Iranian operation to discourage Saudi Aramco from increasing its
oil production," wrote in a blog posting.

"Iran has been known to use its indigenous hacker population to
run state-sponsored attacks in the past," Carr added.

The notion that Shamoon was created by amateurs is something
Kaspersky would likely agree with. There seems to be a clumsy
error in the way the preset timestamp in the Shamoon code works.

"It seems that the function to check the date works incorrectly.
If the intention is to divide the timeline into 'before' and
'after' a particular checkpoint, then the author has failed,"
Tarakanov wrote in yesterday's blog posting. "Experienced
programmers would hardly be expected to mess up a date comparison
routine."

"Saudi Aramco is thinking that the 15 Aug. attack was done by us
but with a man in the middle helping us with different kind of
info and that's the reason why the head management of Aramco is
still investigating," read a Pastebin posting put up early today (Aug. 23).

"What we're going to do to prove our ability to do more?" asked
the writer. "We are going to make it, next week, once again, and
you will not be able by 1% to stop us."

He then gave a date and time of Saturday, Aug. 25, 21:00 GMT,
which is midnight in Saudi Arabia and 5 p.m. Eastern time in the
U.S.

"That will happen for two reasons," added the poster. "1- you're
brutal and selfish to harm any employee just for the sake of
expecting. 2- we do hate, hate a lot, arrogance."